arXiv: 1507.02519v3 [cs.LO] 4 Dec 2015 


SAT-Based Explicit LTL Reasoning 


Jianwen Shufang Zhu^, Geguang Pu^, and Moshe Y. Vardi^ 

^ Department of Computer Science, Rice University, USA 
^ Shanghai Key Laboratory of Trustworthy Computing, East China Normal 

University, P. R. China 


Abstract. We present here a new explicit reasoning framework for lin¬ 
ear temporal logic (LTL), which is built on top of propositional sat¬ 
isfiability (SAT) solving. As a proof-of-concept of this framework, we 
describe a new LTL satisfiability algorithm. We implemented the algo¬ 
rithm in a tool, Aalta_v2.0, which is built on top of the Minisat SAT 
solver. We tested the effectiveness of this approach by demonstrating 
that Aalta_v2.0 significantly outperforms all existing LTL satisfiability 
solvers. 


1 Introduction 

Linear Temporal Logic (LTL) was introduced into program verification in [25]. 
Since then it has been widely accepted as a language for the specification of 
ongoing computations [20] and it is a key component in the verification of re¬ 
active systems [4,14]. Explicit temporal reasoning, which involves an explicit 
construction of temporal transition systems, is a key algorithmic component 
in this context. For example, explicitly translating LTL formulas to Biichi au¬ 
tomata is a key step both in explicit-state model checking [11] and in runtime 
verification [31]. LTL satisfiability checking, a step that should take place before 
verification, to assure consistency of temporal requirements, also uses explicit 
reasoning [26]. These tasks are known to be quite demanding computationally 
for complex temporal properties [11, 26, 31]. A way to get around this difficulty 
is to replace explicit reasoning by symbolic reasoning, e.g., as in BDD-based or 
SAT-based model checking [23, 22], but in many cases the symbolic approach is 
inefficient [26] or inapplicable [31]. Thus, explicit temporal reasoning remains an 
indispensable algorithmic tool. 

The main approach to explicit temporal reasoning is based on the tableau tech¬ 
nique, in which a recursive syntactic decomposition of temporal formulas drives 
the construction of temporal transition systems. This approach is based on the 
technique of propositional tableau, whose essence is search via syntactic splitting 
[6]. This is in contrast to modern propositional satisfiability (SAT) solvers, whose 
essence is search via semantic splitting [19]. The tableau approach to temporal 
reasoning underlies both the best LTL-to-automata translator [8] and the best 
LTL-satisfiability checker [18]. Thus, we have a situation where in the symbolic 
setting much progress is being attained both by the impressive improvement in 



the capabilities of modern SAT solvers [19] as well as new SAT-based model¬ 
checking algorithms [1,3], while progress in explicit temporal reasoning is slower 
and does not fully leverage modern SAT solving. (It should be noted that sev¬ 
eral LTL satisfiability solvers, including Aalta [17] and ls4 [30] do employ SAT 
solvers, but they do so as an aid to the main reasoning engine, rather than serve 
as the main reasoning engine.) 

Our main aim in this paper is to study how SAT solving can be fully leveraged in 
explicit temporal reasoning. The key intuition is that explicit temporal reasoning 
consists of construction of states and transitions, subject to temporal constraints. 
Such temporal constraints can be reduced to a sequence of Boolean constraints, 
which enables the application of SAT solving. This idea underlies the complexity- 
theoretic analysis in [33], and has been explored in the context of modal logic 
[12], but not yet in the context of explicit temporal reasoning. Our belief is that 
SAT solving would prove to be superior to tableau in that context. 

We describe in this paper a general framework for SAT-based explicit temporal 
reasoning. The crux of our approach is a construction of temporal transition 
system that is based on SAT-solving rather than tableau to construct states and 
transitions. The obtained transition system can be used for LTL-satisfiability 
solving, LTL-to-automata translation, and runtime-monitor construction. 

As proof of concept for the new framework, we use it to develop a SAT-based 
algorithm for LTL-satisfiability checking. We also propose several heuristics to 
speed up the checking by leveraging SAT solvers. We implemented the algo¬ 
rithm and heuristics in an LTL-satisfiability solver Aalta_v2.0. To evaluate its 
performance, we compared it against Aalta, the existing best-of-breed LTL- 
satisfiability solver [18,17], which is tableau-based. We also compare it against 
NuXmv, a symbolic LTL-satisfiability solver that is based on cutting-edge SAT- 
based model-checking algorithms [1,3], which outperforms Aalta. We show that 
our explicit SAT-based LTL-satisfiability solver outperforms both. 

In summary, the contributions in this paper are as follows: 

— We propose a SAT-based explicit LTL-reasoning framework. 

— We show a successful application of the framework to LTL-satisfiability 
checking, by designing a novel algorithm and efficient heuristics. 

— We compare our new framework for LTL-satisfiability checking with existing 
approaches. The experimental results demonstrate that our tool significantly 
outperforms other existing LTL satisfiability solvers. 

The paper is organized as follows. Section 2 provides technical background. 
Section 3 introduces the new SAT-based explicit-reasoning framework. Section 
4 describes in detail the application to LTL-satisfiability checking. Section 5 
shows the experimental results for LTL-satisfiability checking. Finally Section 6 
provides concluding remarks. Missing proofs are in the Appendix. 

2 Preliminaries 

Linear Temporal Logic (LTL) is considered as an extension of propositional logic, 
in which temporal connectives X (next) and U (until) are introduced. Let AP 



be a set of atomic properties. The syntax of LTL formulas is defined by: 

where a € AP, tt is true and ff is false. We introduce the R (release) connec¬ 
tives as the dual of U, which means (fRtp = We also use the usual 

abbreviations: Fa = ttUa, and Ga = ffRa. 

We say that a is a literal if it is an atomic proposition or its negation. Through¬ 
out the paper, we use L to denote the set of literals, lower case letters a, 5, c, I 
to denote literals, a to denote propositional formulas, and </>, ip for LTL for¬ 
mulas. We consider LTL formulas in negation normal form (NNF), which can 
be achieved by pushing all negations in front of only atoms. Since we consider 
LTL in NNF, formulas are interpreted here on infinite literal sequences, whose 
alphabet is S := 2^. 

A trace f = u!oUJiUJ 2 ... is an infinite sequence in . For f and A: > 1 we use 
= uJoOJi ■ ■ ■ ojk-i to denote a prefix of and = uj^ojk+i ... to denote a suffix 
of f. Thus, f The semantics of LTL with respect to an infinite trace f is 

given by: 

— ^ ^ a iff ^ a, where a is a propositional formula; 

— e h ^ iff 6 h 

— ^ \= <pi U <p 2 iS there exists f > 0 such that ^ <p 2 and for all 0 < j < z, 
£,j 1= (pi] 

— \= (pi R (p2 Ai for all z > 0, it holds 1= (p 2 or there exists 0 < j < i such 
that ^ (pi- 

The closure of an LTL formula <p, denoted as cl{(p), is a formula set such that: 
(1). (p is in cl{(p); (2). pj is in cl{(p) if ^ = Xtp or (p = -<tp; (3). (pi,(p 2 are in cl{(p) 
li (p = (pi op (p 2 , where op can be A,V,[/ and i?; (4). {X\p) e cl{(p) ii tp G cl{(p) 
and ip is an Until or Release formula. We say each ip in cl{(p), which is added 
via rules (l)-(3), is a subformula of (p. Note that the standard definition of LTL 
closure consists only of rules (l)-(3). Rule (4) is added in this paper due to its 
usage in later sections. Note that the size of cl{(p) is linear in the length of (p, 
even with the addition of rule (4). 

3 Explicit LTL Reasoning 

In this section we introduce the framework of explicit LTL reasoning. To demon¬ 
strate clearly both the similarity and difference between our approach and previ¬ 
ous ones, we organize this section as follows. We first provide a general definition 
of temporal transition systems, which underlies both our new approach and pre¬ 
vious approach. We then discuss how traditional methods and our new one relate 
to this framework. 

3.1 Temporal Transition System 

As argued in [32,12], the key to efficient modal reasoning is to reason about 
states and transitions propositionally. We show here how the same approach can 



be applied to LTL. Unlike modal logic, where there is a clear separation between 
formulas that talk about the current state and formulas that talk about successor 
states (the latter are formulas in the scope of □ or 0, i.e. G or F in LTL), LTL 
formulas do not allow for such a clean separation. Achieving such a separation 
requires some additional work. 

We first define propositional satishability of LTL formulas. 

Definition 1 (Propositional Satisfiability). For an LTL formula 4>, a propo¬ 
sitional assignment for (f is a set A C cl{<j)) such that 

— every literal £ G L is either in A or its negation is, but not both. 

— {01 A 02) G A implies 0i G A and 02 G A, 

— {01 V 02) G A implies 0i G A or 02 G A, 

— {0iU02) G A implies 02 G A or both 0i G A and {X{0iU02)) G A. In the 
former case, that is, 02 G A, we say that A satisfies {0iU02) immediately. 
In the latter case, we say that A postpones {0iU02). 

— {0iR02) G a implies 02 G A and either 0i G A or {X{0iR02)) G A. In the 

former case, that is, 0i G A, we say that A satisfies {0iR02) immediately. 

In the latter case, we say that A postpones {0iR02). 

We say that a propositional assignment A propositional satisfies 4>, denoted as 
A \=p (j), if (j) G A. We say an LTL formula f is propositionally satisfiable if 
there is a propositional assignment A for <j) such that A </>. 

For example, consider the formula </> = {aUb)A{^b). The set Ai = {a, {aUb), {^b), 
{X{aUb))} C cl{<j)) is a propositional assignment that propositionally satisfies (f. 
In contrast, the set A 2 = {{allb), -^b} C cl{(j)) is not a propositional assignment. 
The following theorem shows the relationship between LTL formula (j) and its 
propositional assignment. 

Theorem 1. For an LTL formula (j> and an infinite trace f G , we have 
that f \= 4> iff there exists a propositional assignment A C cl{(j)) such that A 
propositionally satisfies (j) and ^ |= /\ A. 

Since a propositional assignment of LTL formula (j) contains the information for 
both current and next states, we are ready to define the transition systems of 
LTL formula. 

Definition 2. Given an LTL formula 4>, the transition system T^ is a tuple 
{S,So,T) where 

— S is the set of states s C cl{(l)) that are propositional assignments for (j). The 
trace of a state s is sD L, that is, the set of literals in s. 

— Sq C S is a set of initial states, where f G Sq for all Sq G Sq. 

— T : Sx S is the transition relation, where T{si, S 2 ) holds if{X0) G Si implies 
0 G S 2 , for all X0 G cl{(j>). 

A run of Ttf, is an infinite sequence so,si,... such that sq G Sq and T{si,Si+i) 
holds for all i > 0. 



Every run r = sq) sij • • • of induces a trace trace(r) = trace{so), trace(si),... 
in In general, it needs not hold that trace{r) ^ </>. This requires an additional 
condition. Consider an Until formula {9iU92) € Si- Since Si is a propositional 
assignment for </> we either have that Si satisfies {9iU92) immediately or that 
it postpones it, and then {9iU92) G Si+i- If Sj postpones {9iU92) for all j > i, 
then we say that (9iU92) is stuck in r. 

Theorem 2. Let r be a run ofT^j,. If no Until subformula is stuck at r, then 
trace(r) ^ 4>. Also, f is satisfiable if there is a run r of so that no Until 
subformula is stuck at r. 

We have now shown that the temporal transition system is intimately related 
to the satisfiability of f. The definition of is, however, rather nonconstructive. 
In the next subsection we discuss how to construct T^. 

3.2 System Construction 

First, we show how one can consider LTL formulas as propositional ones. This 
requires considering temporal subformulas as propositional atoms. We now define 
the propositional atoms of LTL formulas. 

Definition 3 (Propositional Atoms). For an LTL formula (j), we define the 
set of propositional atoms off, i.e. PA{<j)), as follows : 

1. PA(0) = {^} if (f is an atom, Next, Until or Release formula; 

2. PA{(j)) = PA{il)) if(t)= 

3. PA{(j>) = PA{(l)i) U PA{(t) 2 ) if4> = {4>i A ^ 2 ) or ^ = {fii V (1)2)■ 

Consider, for example, the formula (j) = {aA (aUb) A ^(A(a V &))). Here we have 
PA{(j)) is {a, [aUb), (A(aV6))}. Intuitively, the propositional atoms are obtained 
by treating all temporal subformulas of 0 as atomic propositions. Thus, an LTL 
formula 0 can be viewed as a propositional formula over PA{<f). 

Definition 4. For an LTL formula 0, let 0^ be 0 considered as a propositional 
formula over PA{(j)). 

We now introduce the neXt Normal Form (XNF) of LTL formulas, which sepa¬ 
rates the “current” and “next-state” parts of the formula, but costs only linear 
in the original formula size. 

Definition 5 (neXt Normal Form). An LTL formula 0 is in neXt Normal 
Form (XNF) if there are no Unitl or Release subformulas of (p in PA((j)). 

For example, 0 = {aUb) is not in XNF, while (6 V (a A {X{aUb)))) is in XNF. 
Every LTL formula 0 can be converted, with linear in the formula size, to an 
equivalent formula in XNF. 

Theorem 3. For an LTL formula 0, there is an equivalent formula xnf{(j)) that 
is in XNF. Furthermore, the cost of the conversion is linear. 



Proof. To construct xnf{(j)), We can apply the expansion rules {4>iU(j)2) = {f >2 V 
((/)i A X {(fiU and {(j)iR4>2) = {4‘2 A {(fi V X {(j)iR(j) 2 ))) ■ In detail, we can 
construct xnf((f>) inductively: 

1. xnf{(j)) = (f) ii <j> is tt, ff, a literal I or a Next formula Xip] 

2. xnf lcj)) = xnf{4>i) A xnf{4>2) ii (j> = {(fi A 4>2)] 

3. xnf {(j)) = xnf{(j)i) V xnf{(j) 2 ) ii f = {(fi V (j) 2 ); 

4. xnf {(j)) = {xnf{4>2)) V {xnf{4>i) A Xcj)) ii 4> = {(j)iU(j) 2 )] 

5. xnf {4>) = xnf{4>2) A {xnf{4>i) V Xf) ii 4> = {4>iR(j)2). 

Since the construction is built on the two expansion rules that preserve the 
equivalence of formulas, it follows that (j) is logically equivalent to xnf{(j)). Note 
that the conversion map xnf{(j)) doubles the size of the converted formula </>, but 
since the conversion puts Until and Release subformulas in the scope of Next, 
and the conversion stops when it comes to Next subformulas, the cost is at most 
linear. □ 

We can now state propositional satisfiability of LTL formulas in terms of satis¬ 
fiability of propositional formulas. That is, by restricting LTL formulas to XNF, 
a satisfying assignment of which can be obtained by using a SAT solver, 
corresponds precisely to a propositional assignment of formula 4>. 

Theorem 4. For an LTL formula 4> in XNF, if there is a satisfying assignment 
A of (jP, then there is a propositional assignment A' of (j) that satisfies f such 
that A' n PA{(j)) C A. Conversely, if there is a propositional assignment A' 
of (j) that satisfies f, then there is a satisfying assignment A of (jP such that 
A' n PA{(f) C A. 

Proof. (^) Let A be a satisfying assignment of 0^. Then let A! be the set of 
all formulas ip € d{(j)) such that A satisfies {xnf{'ip)y. We clearly have that 
A' n PA{(j)) C A. According to Definition 1 and because </> is in XNF, we have 
that A' is a propositional assignment of f that satisfies 4>. 

(<^=) Let A' be a propositional assignment of </> that satisfies (p. Then let A to 
be the assignment that assign true to ip G cl{(p) precisely when ip G A'. Again, 
we clearly have that. A' n PA{(p) C A. According to Definition 1 and because (p 
is in XNF, we have that A is a satisfying assignment oi pP. □ 

Theorem 4 shows that by requiring the formula (p to be in XNF, we can construct 
the states of the transition system via computing satisfying assignments of 
pp over PA{p>). Let t be a satisfying assignment of and At be the related 
propositional assignment of p generated from t by Theorem 4, the construction 
is operated as follows: 

1. Let So = {At I t \= pP}; and let S := Sq, 

2. Compute Si = [At \ t ^ {xnf{/\X{si))Y} for each Si G S, where A(sj) = 
{9 I {X6) G Si}; and update S' := A U Sp, 

3. Stop if S does not change; else go back to step 2. 



The construction first generates initial states (step 1), and then all reachable 
states from initial ones (step 2); it terminates once no new reachable state can 
be generated (step 3). So S' is the set of system states and its size is bounded by 

Our goal here is to show that we can construct the transition system by 
means of SAT solving. This requires us to refine Theorem 2. A key issue in how 
a propositional assignment handles an Until formula is whether it satisfies it 
immediately or postpones it. We introduce new propositions that indicate which 
is the case, and we refine the implementation of xnf{). Given ip = (tpiU'tjj 2 ), 
we introduce a new proposition v{tp), and use the following conversion rule: 
xnf{'ip) = (u('0) AV' 2 ) V ((^u('0)) Ai/'i A (A'('0))). Thus, v{'tp) is required to be true 
when the Until is satisfied immediately, and false when the Until is postponed. 
Now we can state the refinement of Theorem 2. 

Theorem 5. For an LTL formula 4>, (p is satisfiable iff there is a hnite run 
r = So, si,..., Sn in such that 

1. There are 0 < m < n such that Sm = 

2. Let Q = Ur=mSi- Vi’ = {i’iUi> 2 ) G Q, then v{ip) G Q. 

Proof. Suppose first that items 1 and 2 hold. Then the infinite sequence r' = 
So,..., Sm, (sm+i, • ■ • > SnV is an infinite run of T^j,. It follows from Item 2 that 
no Until subformula is stuck at r'. By Theorem 2, we have that r' ^ </>. 

Suppose now that (p is satisfiable. By Theorem 2, there is an infinite run r' of 
in which no Until subformula is stuck. Let r' = so,Si,... be such a run. 
Each Si{i > 0) is a state of T,p, and the number of states is bounded by 
Thus, there must be 0 < to < n such that Sm = Sn- Let Q = ljr=m Since no 
Until subformula can be stuck at r, if ip = ipiUip2 G Q, then it is must be that 
v{ip) e Q. □ 

The significance of Theorem 5 is that it reduces LTL satisfiability checking to 
searching for a “lasso” in [5]. Item I says that we need to search for a prefix 
followed by a cycle, while Item 2 provides a way to test that no Until subformla 
gets stuck in the inhnite run in which the cycle Sm+i, ■ • •, s„ is repeated infinitely 
often. 


3.3 Related Work 

We introduced our SAT-based reasoning approach above, and in this section we 
discuss the difference between our SAT-based approach and earlier works. 
Earlier approach to transition-system construction for LTL formulas, based on 
tableau [11] and normal form [18], generates the system states explicitly or im¬ 
plicitly via a translation to disjunctive normal form (DNF). In [18], the con¬ 
version to DNE is explicit (though various heuristics are used to temper the 
exponential blow-up) and the states generated correspond to the disjuncts. In 
tableau-based tools, cf., [11,7], the construction is based on iterative syntactic 



splitting in which a state of the form A U {9i V O^} is split to states: A U { 6 * 1 } 
and A U { 02 }- 

The approach proposed here is based on SAT solving, where the states cor¬ 
respond to satisfying assignments. Satisfying assignments are generated via a 
search process that is guided by semantic splitting. The advantage of using SAT 
solving rather than syntactic approaches is the impressive progress in the de¬ 
velopment of heuristics that have evolved to yield highly efficient SAT solving: 
unit propagation, two-literal watching, back jumping, clause learning, and more, 
see [19]. Furthermore, SAT solving continues to evolve in an impressive pace, 
driven by an annual competition^. It should be remarked that an analogous 
debate, between syntactic and semantic approaches, took place in the context 
of automated test-pattern generation for circuit designs, where, ultimately, the 
semantic approach has been shown to be superior [16]. 

Furthermore, relying on SAT solving as the underlying reasoning technology 
enables us to decouple temporal reasoning from propositional reasoning. Tem¬ 
poral reasoning is accomplished via a search in the transition system, while the 
construction of the transition system, which requires proposition reasoning using 
SAT solving. 


4 LTL Satisfiability Checking 

Given an LTL formula (p, the satisfiability problem is to ask whether there is 
an infinite trace ^ such that ^ ^ In the previous section we introduced a 
SAT-based LTL-reasoning framework and showed how it can be applied to solve 
LTL reasoning problems. In this section we use this framework to develop an 
efficient SAT-based algorithm for LTL satisfiability checking. We design a depth- 
first-search (DFS) algorithm that constructs the temporal transition system on 
the fly and searches for a trace per Theorem 5. Furthermore, we propose several 
heuristics to reduce the search space. Due to the limited space, we offer here a 
high-level description of the algorithms. Details are provided in Appendix C. 


4.1 The Main Algorithm 

The main algorithm, LTL-CHECK, creates the temporal transition system of the 
input formula on-the-fly, and searches for a lasso in a DFS manner. Several prior 
works describe algorithms for DFS lasso search , cf. [5,18, 28]. Here we focus on 
the steps that are specialized to our algorithm. 

The key idea of LTL-CHECK is to create states and their successors using 
SAT techniques rather than traditional tableau or expansion techniques. Given 
the current formula (p, we first compute its XNF version xnf{(p), and then use 
a SAT solver to compute the satisfying assignments of {xnf{p)Y. Let P be 
a satisfying assignment for (xnf{p)Y; from the previous section we know that 
X{P) = {9 1 X9 G P} yields a successor state in T^. We implement this approach 

See http://www.satcompetition.org/ 
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in the getState function, which we improve later by introducing some heuristics. 
By enumerating all assignments of {xnf{(j))Y we can obtain all successor states 
of P. Note, however that LTL-CHECK runs in the DFS manner, under which 
only a single state is needed at a time, so additional effort must be taken to 
maintain history information of the next-state generation for each state P. 

As soon as LTL-CHECK detects a lasso, it checks whether the lasso is accepting. 
Previous lasso-search algorithms operate on the Biichi automaton generated from 
the input formula. In contrast, here we focus directly on the satisfaction of Until 
subformulas per Theorem 5. We use the example below to show the general idea. 
Consider the formula (p = G{{Fb) A (Pc)). By Theorem 3, xnf{(f)) = xnf{Fb) A 
xnf{Fc)f\X(j), where xnf{Fb) = ({bAv{Fb))\J {-^v{Fb) f\X{Fb))) and xnf{Fc) = 
{{cAv{Fc))V{-^v{Fc)AX{Fc))). Suppose we get from the SAT solver an assign¬ 
ment of {xnf{(j)))P P = {v{Fb), -^v{Fc),b, ^c, -^X{Fb),X{Fc), Xp}. By Theorem 
4, we create a satisfying assignment A' that includes all formulas in cl{p) that are 
satisfied by P, and we get the state sq = PU{p, Fb, Fc, (Fb) A (Fc)}. To obtain 
the next state, we start with Ar(so) = {Fc, p}, compute xnf(FcA p) and repeat 
the process. After several steps LTL-CHECK may find a path sq —t si —)■ sq, 
where Si = {p, Fb, Fc, (Fb) A {Fc),^v{Fb),v{Fc),^b,c,X{Fb),^X{Fc),Xp}. 
Now So and Si form a lasso. Let Q = Sq U Si. Both Fb and Fc are in Q, and also 
v{Fb) and v{Fc) are in Q. By Theorem 5, p is satisfiable. 

4.2 Heuristics for State Elimination 

While LTL-CHECK uses an efficient SAT solver to compute states of the system 
in the getState function, this approach is effective in creating states and their 
successors, but cannot be used to guide the overall search. To find a satisfying 
lasso faster, we add heuristics that drive the search towards satisfaction. The key 
to these heuristics is smartly choosing the next state given by SAT solvers. This 
can be achieved by adding more constraints to the SAT solver. Experiments show 
these heuristics are critical to the performance of our LTL-satisfiability tool. 
The construction of state in the transition system always starts with formu¬ 
las. At the beginning, we have the input formula pg and we take the following 
steps: (1) Compute xnf{po)', (2) Call a SAT solver to get an assignment Pq of 
{xnf{po)y-, and (3) Derive a state Pq from Pq. Then, to get a successor state, 
we start with the formula pi = /\X{PP), and repeat steps (1-3). Thus, every 
state s is obtained from some formula pa, which we call the representative for¬ 
mula. Note that with the possible exception of po, all representative formulas 
are conjunctions. Let pa = Ai<i<n be the representative formula of a state s; 
we say that 9i{l < z < n) is an obligation of p if A is an Until formula. Thus, we 
associate with the state s a set of obligations, which are the Until conjunctive 
elements of pa- (The initial state may have obligations if it is a conjunction.) The 
approach we now describe is to satisfy obligations as early as possible during the 
search, so that a satisfying lasso is obtained earlier. We now refine the getState 
function, and introduce three heuristics via examples. 

The getState function keeps a global obligation set, collecting all obligations so 
far not satisfied in the search. The obligation set is initialized with the obligations 




Fig. 1. A satisfiable formula. In the figure 0o = G{{Fa) A{F^a)), cj>i — ((Fa) A (F-ia) A 
4>o), <(>2 = {{F^a)A(j)o) and (f >3 = {{Fa)A(j)o)- These representative formulas correspond 
to states so,si,S 2 ,S 3 , respectively. 


of the initial formula (f>o- When an obligation o is satisfied (i.e., when v{o) is true), 
o is removed from the obligation set. Once the obligation set becomes empty in 
the search, it is reset to contain obligations of current representative formula (pi- 
In Fig. 1, we denote the obligation set by O. O is initialized to 0, as there is no 
obligation in pQ. O is then reset in the states si and S 3 , when it becomes empty. 
The get State function runs in the ELIMINATION mode by default, in which 
it obtains the next state guided by the obligations of current state. For satisfiable 
formulas, this leads to faster lasso detection. Consider formula (p = G{{Fa) A 
(F^a)). Parts of the temporal transition system are shown in Fig. 1. In the 
figure, O is reset to {(Fa),(F^a)} in state si, as these are the obligations of 
pi- To drive the search towards early satisfaction of obligations, we obtain a 
successor of si, by applying the SAT solver to the formula {xnf{pi) A {v{Fa) V 
v{F^a)))P, to check whether Fa or F^a can be satisfied immediately. If the 
returned assignment satisfies v{Fa), then we get the success state S 2 with the 
representative formulas 02 , and (Fa) is removed from O. Then the next state 
is S 3 with the representative formula 03, which removes the obligation (F^a). 
since O becomes empty, it is reset to the obligations {Fa} of 03. Note that in 
Fig. I, there should be transitions from S 2 to si and from S 3 to S 2 , but they are 
never traversed under the ELIMINATION mode. 

The getState function runs in the SAT .PURSUING mode when the obliga¬ 
tion set becomes empty. In this mode, we want to check whether the next state 
can be a state that have been visited before and after that visit the obligation set 
has become empty. In this case, the generated lasso is accepting, by Theorem 5. In 
Fig. 1, the obligation set O becomes empty in state S3. Previously, it has become 
empty in si. Normally, we find a success state for S3 by applying the SAT solver 
to (xn/(03))P. To find out if either sq or si can be a successor of S3, we apply the 
SAT solver to the formula (xnf(p^) A (A(0o) V A(0i)))p. Since this formula is 
satisfiable and indicates a transition from S 3 to si (Xpi can be assigned true in 











the assignment), we have found that trace{so), {trace{si),trace{s 2 ),trace{s^))^ 
satisfies (j). In the figure, the transitions labeled x represent failed attempts to 
generate the lasso when O becomes empty. Although failed attempts have a 
computational cost, trying to close cycles aggressively does pay off. 

The getState function runs in the CONFLICT_ANALYZE mode if all for¬ 
mulas in the obligation set are postponed in the ELIMINATION mode. The goal 
of this mode is to eliminate “conflicts” that block immediate satisfaction of obli¬ 
gations. To achieve this, we use a conflict-guided strategy. Consider, for example, 
the formula fo = aA{Xb)AF{{^a)A{^b)). Here the formula ip = F{{^a)A{^b)) 
is an obligation. We check whether ip can be satisfied immediately, but it fails. 
The reason for this failure is the conjunct a in <p, which conflicts with the obli¬ 
gation Ip. We identify this conflict using a minimal unsat core algorithm [21]. To 
eliminate this conflict, we add the conjunct ^Xa to <p, hoping to be able to satisfy 
the obligation immediately in the next state. When we apply the SAT solver to 
{xnf{<p) A {^Xa)y, we obtain a successor state with the representative formula 
(pi = (bAip), again with ip as an obligation. When we try to satisfy ip immediately, 
we fail again, since ip conflicts with b. To block both conflicts, we add -^Xb as an 
additional constraint, and apply the SAT solver to {xnf{(p) A {^Xa) A {-^Xb)Y. 
This yields a successor state with the representative formula (p 2 = ip- Now we 
are able to satisfy ip immediately, and we are able to satisfy (p with the finite 
path (p ^ (pi -A (p 2 - 

As another example, consider the formula (p = {G{Fa) A Gb A F{^b)). Since 
F{^b) is an obligation, we try to satisfy it immediately, but fail. The reason for 
the failure is that immediate satisfaction of F{^b) conflicts with the conjunct 
Gb. In order to try to block this conflict, we add to p the conjunct -^XGb, and 
apply the SAT solver to {xnf{p) A ^XGby. This also fails. Furthermore, by 
constructing a minimal unsat core, we discover that {xnf{Gb) A ^X{Gb))P is 
unsatisfiable. This indicates that Gb is an “invariant”; that is, if Gb is true in a 
state then it is also true in its successor. This means that the obligation F^b) 
can never be satisfied, since the conflict can never be removed. Thus, we can 
conclude that p is unsatisfiable without constructing more than one state. 

In general, identifying conflicts using minimal unsat cores enables both to find 
satisfying traces faster, or conclude faster that such traces cannot be found. 

5 Experiments on LTL Satisfiability Checking 

In this section we discuss the experimental evaluation for LTL satisfiability check¬ 
ing. We first describe the methodology used in experiments and then show the 
results. 


5.1 Experimental Methodologies 

The platform used in the experiments is an IBM iDataPlex consisting of 2304 
processor cores in 192 Westmere nodes (12 processor cores per node) at 2.83 
GHz with 48 GB of RAM per node (4 GB per core), running the 64-bit Redhat 



7 operating system. In our experiments, each tool runs on a single core in a single 
node. We use the Linux command “time” to evaluate the time cost (in seconds) 
of each experiment. Timeout was set to 60 seconds, and the out-of-time cases 
are set to cost 60s. 

We implemented the satisfiability-checking algorithms introduced in this paper, 
and named the tool Aalta_v2.0‘*. We compare Aalta_v2.0 with Aalta_vl.2, which 
is the latest explicit LTL-satisfiability solver (though it does use some SAT 
solving for acceleration) [17]. (The SAT engine used in both Aalta_vl.2 and 
Aalta_v2.0 is Minisat [9].) In the literature, Aalta_vl.2 is shown to outperform 
other existing explicit LTL solvers, so we omit the comparison with these solvers 
in this paper. Two resolution-based LTL satisfiability solvers, TRP-I--I- [15] and 
ls4 [30], are also included in our comparison. (Note ls4 utilizes SAT solving as 
well.) 

As shown in [26], LTL satisfiability checking can be reduced to model check¬ 
ing. While BDD-based model checker were shown to be competitive for LTL 
satisHability solving in [26], they were shown later not to be competitive with 
specialized tools, such as Aalta_vl.2 [18]. We do, however, include in our com¬ 
parison the model checker NuXmv [2], which integrates the latest SAT-based 
model checking techniques. It uses Minisat as the SAT engine as well. Although 
standard bounded model checking (BMC) is not complete for the LTL satisfiabil¬ 
ity checking, there are techniques to make it complete, for example, incremental 
bounded model checking (BMC-INC) [13], which is implemented in NuXmv. In 
addition, NuXmv implements also new SAT-based techniques, IC3 [1], which 
can handle liveness properties with the K-liveness technique[3]. We included IC3 
with K-liveness in our comparison. 

To compare with the K-liveness checking algorithm, we ran NuXmv using the 
command “check_ltlspec_klive -d”. For the BMC-INC comparison, we run NuXmv 
with the command “checkdtlspec_sbmcTnc -c”. Aalta_v2.0, Aalta_vl.2 and ls4 
tools were run using their default parameters, while TRP-I--I- runs with “-sBFS 
-FSR”. Since the input of TRP-I--I- and ls4 must be in SNF (Separated Normal 
Form [10]), an SNF generator is required for running these tools. We use the 
generator TST-translate which belongs to ls4 tool suit. 

In the experiments we consider the benchmark suite from [27], referred to as 
schuppan-collected. This suite collects formulas from several prior works, includ¬ 
ing [26], and has a total of 7446 formulas (3723 representative formulas and 
their negations). (Testing also the negation of each formula is in essence a check 
for validity.) In our experiments, we did not find any inconsistency among the 
solvers that did not time out. 

5.2 Results 

The experimental results are shown in Table 1. In the table, the first column lists 
the different benchmarks in the suite, and the second to eighth columns display 
the results from different solvers. Each result in a cell of the table is a tuple (t, n). 

It can be downloaded at www.lab205.org/aalta. 
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Table 1. Experimental results on the Schuppan-collected benchmark. Each cell lists a 
tuple {t,n) where t is the total checking time (in seconds), and n is the total number 
of unsolved formulas. 


Formula type 

ls4 

TKP++ 

■ NuXn 
RMC 

av- 

fNF' 

Aalta_vl.2 

NuXn 

IC3-F 

nv- 

'live 

Aalta_v2.U 

without heuristics 

Aalta_v2.U 

with heuristics 

/ acacia / example 

155 

0 

192 

0 

1 

0 

1 

0 

8 

0 

1 

0 

1 

0 

/ acacia / demo-v3 

68 

0 

2834 

38 

3 

0 

660 

0 

30 

0 

630 

0 

3 

0 

/ acacia / demo-v22 

60 

0 

67 

0 

1 

0 

2 

0 

4 

0 

2 

0 

1 

0 

/alaska/lift 

2381 

27 

15602 

254 

1919 

26 

4084 

63 

867 

5 

4610 

70 

1431 

IS 

/ alaska / szymanski 

27 

0 

283 

4 

1 

0 

1 

0 

2 

0 

1 

0 

1 

0 

/anzu/amba 

5820 

92 

6120 

102 

536 

7 

2686 

40 

1062 

8 

3876 

60 

928 

4 

/anzu/genbuf 

2200 

30 

7200 

120 

782 

11 

3343 

54 

1350 

13 

5243 

94 

827 

4 

/ rozier/counter 

3934 

62 

4491 

44 

3865 

64 

3928 

60 

3988 

65 

3328 

55 

2649 

40 

/ rozier/formulas 

167 

0 

37533 

523 

1258 

19 

1372 

20 

664 

0 

1672 

25 

363 

0 

/ rozier/pattern 

2216 

38 

15450 

237 

1505 

8 

8 

0 

3252 

17 

8 

0 

9 

0 

/ schuppan / 0 Iformula 

2193 

34 

2178 

35 

14 

0 

2 

0 

95 

0 

2 

0 

2 

0 

/ schuppan / 02formula 

2284 

35 

2566 

41 

1781 

28 

2 

0 

742 

7 

2 

0 

2 

0 

/ schuppan / phlt 1 

1771 

27 

1793 

29 

1058 

15 

1233 

21 

753 

11 

1333 

21 

767 

13 

/trp/N5x 

144 

0 

46 

0 

567 

9 

309 

0 

187 

0 

219 

0 

15 

0 

/trp/N5y 

448 

10 

95 

1 

2768 

46 

116 

0 

102 

0 

316 

0 

16 

0 

/trp/N12x 

3345 

52 

45739 

735 

3570 

58 

768 

48 

705 

0 

768 

0 

175 

0 

/trp/N12y 

3811 

56 

19142 

265 

4049 

67 

7413 

no 

979 

0 

7413 

100 

154 

0 

/fo robots 

990 

0 

1303 

0 

1085 

18 

2280 

32 

37 

0 

2130 

30 

524 

0 

Total 

32014 

463 

163142 

2428 

24769 

376 

31208 

450 

14261 

126 

31554 

455 

7868 

79 


where t is the total checking time for the corresponding benchmark, and n is the 
number of unsolved formulas due to timeout in the benchmark. Specially the 
number “0” in the table means all formulas in the given benchmark are solved. 
Finally, the last row of the table lists the total checking time and number of 
unsolved formulas for each solver. 

The results show that while the tableau-based tool Aalta_vl.2, outperforms ls4 
and TRP-I--I-, it is outperformed by NuXmv-BMCINC and NuXmv-IC3-Klive, 
both of which are outperformed by Aalta_v2.0, which is faster by about 6,000 
seconds and solves 47 more instances than NuXmv-IC3-Klive. 

Our framework is explicit and closest to that is underlaid behind Aalta_vl.2. 
From the results, Aalta_v2.0 with heuristic outperforms Aalta_vl.2 dramati¬ 
cally, faster by more than 23,000 seconds and solving 371 more instances. One 
reason is, when Aalta_vl.2 fails it is often due to timeout during the heavy- 
duty normal-form generation, which Aalta_v2.0 simply avoids (generating XNF 
is rather lightweight). 

Generating the states in a lightweight way, however, is not efficient enough. By 
running Aalta_v2.0 without heuristics, it cannot perform better than Aalta_vl.2, 
see the data in column 5 and 7 of Table 1. It can even be worse in some bench¬ 
marks such as “/anzu/amba” and “anzu/genbuf”. We can explain the reason 
via an example. Assume the formula is ipiM 4>2^ the traditional tableau method 
splits the formula and at most creates two nodes. Under our pure SAT-reasoning 
framework, however,it may create three nodes which contain or 

or (/>! A (/) 2 - This indicates that the state space generated by SAT solvers may in 
general be larger than that generated by tableau expansion. 

To overcome this challenge, we propose some heuristics by adding specific con¬ 
straints to SAT solvers, which at the mean time succeeds to reduce the searching 
space of the overall system. The results shown in column 8 of Table 1 demon- 




strate the effectiveness of heuristics presented in the paper. For example, the 
“/trp/N12/” and “/forobots/” benchmarks are mostly unsatisfiable formulas, 
which Aalta_vl.2 and Aalta_v2.0 with heuristic do not handle well. Yet the unsat- 
core extraction heuristic, which is described in the CONFLICT_ANALYZE mode 
of get State function, enables Aalta_v2.0 with heuristic to solve all these formu¬ 
las. For satisfiable formulas, the results from “/anzu/amba/” and “/anzu/ 
genbuf” formulas, which are satisfiable, show the efficiency of the ELIMINA¬ 
TION and SAT .PURSUING heuristics in the get State function, which are nec¬ 
essary to solve the formulas. 

In summary, Aalta_v2.0 with heuristic performed best on satisfiable formulas, 
solving 6750 instances, followed in order by NuXmv-BMCIMC (6714), NuXmv- 
IC3-Klive (6700), Aalta_vl.2 (6689), ls4 (6648), and TRP-h-b (4711). Eor unsatis¬ 
fiable formulas, NuXmv-IC3-Klive performs best, solving 620 instances, followed 
in order by Aalta_v2.0 with heuristic (617), NuXmv-BMCINC (356), ls4 (335), 
Aalta_vl.2 (309), and TRP-I--1- (307). Detailed statistics are in Appendix D. 
Note that NuXmv-IC3-Klive is able to solve more cases than Aalta_v2.0 with 
heuristic in some benchmarks, such as “/lift” and “/schuppan/phltl” in which 
unsatisfiable formulas are not handled well enough by Aalta_v2.0. Currently, 
Aalta_v2.0 requires large number of SAT calls to identify an unsatisfiable core. 
In future work we plan to use a specialized MUS (minimal unsatisfable core) 
solver to address this challenge. 


6 Concluding Remarks 

We described in this paper a SAT-based framework for explicit LTL reasoning. 
We showed one of its applicaitons to LTL-satisHability checking, by proposing 
basic algorithms and efficient heuristics. As proof of concept, we implemented an 
LTL satisfiability solver, whose performance dominates all similar tools. In Ap¬ 
pendix E we demonstrate that our approach can be extended from propositional 
LTL to assertional LTL, yielding exponential improvement in performance. 
Extending the explicit SAT-based approach to other applications of LTL rea¬ 
soning, is a promising research direction. Eor example, the standard approach 
in LTL model checking [34] relies on the translation of LTL formulas to Biichi 
automata. The transition systems that is used for LTL satisfiability checking 
can also be used in the translation from LTL to Biichi automata. Current best- 
of-breed translators, e.g., [8,11,7,29] are tableau-based, and the SAT approach 
may yield significant performance improvement. 

Of course, the ultimate temporal-reasoning task is model checking. Explicit 
model checkers such as SPIN [14] start with a translation of LTL to Biichi 
automata, which are then used by the model-checking algorithm. An alternative 
approach is to construct the automaton on-the-fly using SAT techniques, using 
the framework developed here. Current symbolic model-checking tools, such as 
NuXmv, do rely heavily on SAT solvers to implement algorithms such as BMC 
[13] or IC3 [1]. The success of the SAT-based explicit LTL-reasoning approach for 



LTL satisfiability checking suggests that this approach may also be successful in 
SAT-based model checking. This remains a highly intriguing research possibility. 
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A Proof of Theorem 1 


Proof. If A propositionally satisfies </> and ^ |= /\ A, then ^ \= <j), as <j) G A. 

For the other direction, assume that f \= Let A = {9 G d{(j)) : f |= 6}. 
Clearly, (f G A. It remains to prove that ^ is a propositional assignment, which 
we show by structural induction. 

— For ^ G L either ^ ^ £ or ^ ^ so either ^ G A or G A. 

— If ^ ^ (01 A 02), then f |= 0i and f 1= 02, so both 9i G A and 02 € A. 

— If ^ ^ (01 V 02), then ^ 1= 01 or ^ 02, so either 0i € A or 02 G A. 

— If ^ ^ (0iC^02), then either ^ \= 02, in which case, 02 € A, or ^ ^ 0i and 

f \= (X(0i[/02), in which case 0i G ^ and (X(0iI702)) G A. 

— If ^ ^ (0ii?02), then ^ ^ 02, in which case 02 G A, and either ^ \= 6i and 

f )= (X(0ii?02)), in which case 0i G ^ and (X(0ii?02)) G A. 

□ 


B Proof of Theorem 2 

Proof, for the hrst claim, let r be sq, si, • ■ • and Ti = si, si+i,... (t > 0). Assume 
that no Until subformua is stuck at r. We prove by induction that trace{ri) ^ if 
for Ip G Si. It follows that trace{r) |= (p. 

— Trivially, for a literal i G Si we have that trace{ri) \= £. 

— If (01 A 02) G Si , then 0i G Si and 02 G si. By induction, trace(ri) ^ 0i and 
trace{ri) ^ 02, so trace{ri) ^ (0i A 02). The argument for (0i V 02) G Si is 
analogous. 

— If {X9) G Si, then 0 G si+i. By induction, trace{ri+i) \= 0, so trace{ri) ^ 
(A0) 

— If (0 iI702) G Si, then 02 G Si or both 0i G Si and (A(0i[/02)) G Si, which 
implies that (0iI702) G si+i. Since {OiUO^) is not stuck at r, there is some 
k > i such that 02 G Sk, and 6i G sj for i < j < k. Using the induction 
hypothesis and the semantics of Until, it follows that trace{ri) ^ (0iC/02). 

— If (0ii?02) G Si, then 02 G Si and either 0i G Si or (A(0ii?02)) G Si, which im¬ 
plies (0ii?02) G Si+i. It is possible here for (0ii?02) to be postponed forever. 
So for a\\ k > i, we have that either 02 G sj or there exists i < j < k such 
that 6i G Sj. Using the induction hypothesis and the semantics of Release, 
it follows that trace{ri) ^ ( 0 ii? 02 ). 

It follows that if there is a run r of such that no Until subformul is stuck at 
r then (p is satisfiable. 

In the other direction, assume that (p is satisfiable and there is an infinite trace 

f G L‘^ such that f \= (p. Let f = Pq, Pi,. .., and let ^i = Pi, Pi+i, _As in the 

proof of Theorem 1, define = {0 G cl{(p) : ^i ^ 0}. As in the proof of Theorem 
1, each Ai is a propositional assignment for (p, and, consequently a state of T^. 
Furthermore, the semantics of Next implies that we have T{Ai, Ai+i) for i > 0. 
Furthermore, the semantics of Until ensures that no Until is stuck in the run 

Ao,Ai,.... □ 



C Implementation of LTL-Satisfiability Checking 
Algorithms 

C.l Main checking algorithm 

The main algorithm checks the satisfiability of the input formula on the fly. It 
implements a depth-first search to identify the lasso described in Theorem 5. Al¬ 
gorithm 1 shows the details of the main algorithm which is named LTL-CHECK. 


Algorithm 1 LTL Main Checking Algorithm: LTL-CHECK 
Require: An LTL formula f. 

Ensure: SAT or UNSAT. 

1: if (^ = tt (or <j) = ff ) then 
2: return SAT (or UNSAT); 

3: end if 

4: Let f = xnf{(j))\ make f ready for SAT solver; 

5: CALL getState{4>): get one system state P from f; 

6: while P is existed do 

7: Let ^|) = /\X{P) be the next state of </>; 

8: if ^|) is in explored then 

9: CALL getState{4>) again: get another P; 

10: Continue; 

11: end if 

12: if ^l> is visited then 

13: if model{tp) is true then 

14: return SAT; 

15: end if 

16: else 

17: Push tp to visiteds, and push P to visitedp-, 

18: if LTL-CHECK (V>) is SAT then 

19: return SAT; 

20: end if 

21: Pop ^p from visiteds, and pop P from visitedp-, 

22: end if 

23: CALL getState((j)) again: get another P; 

24: end while 

25: Push (p to explored; 

26: return UNSAT; 


In Algorithm 1, the function xnf{<p) (in Line 4) is implemented according to 
Theorem 3. It returns the next normal form of </>. The function getState takes 
an input LTL formula (p and outputs another system state (p' from (p. We have 
that T{CF{(p),X{CF{(p'))), which means that X{CF[(p')) is one of next states 
of (p. As mentioned previously, these can be obtained from the assignments of 
{xnf{(p))P. Another main task of getState is to return a different state never 
returned before in every invocation. More details are shown in Algorithm 2. 





The main algorithm maintains three global lists: visiteds, visitedp and explored, 
which record visited state, visited assignments and explored states respectively. 
So, visiteds{i + ^] is a next state of visiteds{i] (i > 0), and visitedp[i + V\ is an as¬ 
signment of f\X{visitedp{i)). Note explored states are those all of the successors 
are visited but no satisfying model is found. So explored states are unsatisfiable 
formulas. The function model function (in Line 13) is to check whether the cycle 
found (containing ip) is accepting. It is evaluated according to Theorem 5. 


Algorithm 2 Implementation of getState 
Require: an LTL formula (/>■, 

Ensure: a new state of </>; 

1: Let a be 

V A (A^gertpiored A (A^gMstorp 

2: if a is satisfiable then 
3: Let P be an assignment of a; 

4: history = history U (A P}', 

5: return P; 

6: else 

7: return null 

8: end if 


At the very beginning CHECK checks whether the formula is tt or ff (Line 
1-3), in which cases the satisfiability can be determined immediately. Then it 
computes the next normal form of input formula (p (Line 4), acquiring a state P 
from {xnf{(f>))'P (Line 5). If P is not existed (Line 6), i.e. (p is checked unsatisfiable 
after exploring all its next states, then it is pushed to explored (Line 25) and 
LTL-CHECK returns UNSAT (Line 26). Otherwise, LTL-CHECK makes sure 
that the chosen new next state ip of p is not explored (Line 8-11). Later it checks 
whether ip has been visited before (Line 12). If so a cycle has been found and 
the model function is invoked to check whether a satisfying model is found as 
well (Line 13-15). If this fails then another P is required for further checking 
(Line 23). If ip is not visited yet, it is pushed into visited and CHECK is invoked 
recursively by taking ip as the new input (Line 17,18). If ip is checked to be SAT 
so does p, else p is popped from visited (Line 21) and CHECK selects another 
P for further checking (Line 23). One may find the algorithm can terminate as 
soon as all states from {xnf{p))P are constructed. 

The task of getState is not only to return a system state for the input formula, 
but also to guarantee every invoke by taking p as input it does not return 
the state already created. To achieve this, we introduce another set history 
to store all states already created so far for each current formula p. Then the 
assignment of a in Algorithm 2 can make the assignment distinguished with 
those ever created before. Note in Line 1, the expression labeled 1 erases those 
states already explored, which are shown to be unsatisfiable. And the expression 
labeled 2 guarantees those assignments that already appeared before cannot be 
chosen again. By adding these two constraints it avoids SAT solvers to create 





duplicated assignments. The notation null in Line 7 represents the state required 
is not existed. 

However, simply avoidance to generate duplicated states is not efficient enough 
for checking on a state space that is exponential larger than the original size of 
input formula. In the following section we present some heuristics to guide SAT 
solvers to return the assignment we prefer as soon as possible. 

C.2 Guided State Generation 

Recall our basic reasoning theorem (Theorem 5), the principle we judge whether 
a cycle can form a satisfying model is to check the satisfaction of Until formulas 
in CF{tp)^, where ijj is a state in the cycle. So an intuitive idea to speed up the 
checking process is to locate such a satisfying cycle as soon as possible. As the 
satisfying cycle keeps satisfying the satisfaction of Until formulas, we follow this 
way and always try to ask SAT solvers to return assignments that can satisfy 
some Until formulas in CF{'>p) where is the current state. 


Algorithm 3 Implementation of the ELIMINATION mode 
Require: an LTL formula <j) and a global set U ; 

Ensure: a new state of </>; 

1: if U is 0 then 

2: Turn into the SAT_PURSUING mode. 

3: Reset U to be where (j) is the current state and U{<j)) C CF{<j)) is the set 

of Until formulas. 

4: end if 

5: Let P be an assignment of 

{xnf{<l>)r A V A([/) A where V{U) = {u(«) \ u G U}-, 

6: if P is empty then 

7: Turn into the CONFLICTANALYZE mode. 

8: else 

9: Update U = U\S, where S' = {m | v{u) € P and u € t/}; 

10: return P; 

11: end if 


We now redesign the getState function in three modes, which focus on different 
tasks. The ELIMINATION mode tries to fulfill the satisfaction of Until formulas 
in a global set, the SAT .PURSUING mode is to pursue a satisfying cycle, and 
the CONFLICT_ANALYZE mode is to pursue an unsatisfiable core if all Until 
formulas remained in the set are postponed. The getState function runs in the 
ELIMINATION mode by default. The implementation of the ELIMINATION 
mode is shown in Algorithm 3. 

In the ELIMINATION mode a global get U is used to keep the Until formulas 
postponed so far. It is initialized as U{(j)), which is the set of Until formulas 

CF{tp) denotes the set of conjuncts of ip by taking it as an And formula. 
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in CF{<j)) {(f) is the input formula). The task of the ELIMINATION mode is 
to check whether some elements in U can be satisfied (Line 5). If C/ becomes 
empty, the SAT .PURSUING mode is invoked to seek a satisfiable cycle (Line 
1,2). If the SAT .PURSUING mode does not succeed, the set U is reset to U{'ij}), 
where ip is the current state. Then the attempt to satisfy the elements in U is 
invoked again (Line 5). Now if the attempt is successful then U is updated and 
the assignment found is returned to LTL-GHEGK and getState terminates (Line 
9,10). Otherwise, it turns into the CONFLIGT.ANALYZE mode. Note the two 
constraints added in Line 5 enables SAT solvers to prune those states which 
postpone all elements in U and whose next states are already explored. 


Algorithm 4 Implementation of the SAT_PURSUING mode 


Require: an LTL formula (p and a global set U ; 
Ensure: a next state of (p; 

1: Let 


' visisted[0]{(p) 
yi<pos visisted[{\ 


if U = 0 for the first time; 
otherwise, 

pos is the previous position 
when U becomes 0. 


2: Let P be an assignment of 
{xnf{<P) A XWr A 
3: if P is not empty then 
4: return P; 

5: else 

6: Turn back into the ELIMINATION mode. 

7: end if 


To find a satisfying cycle, the SAT.PURSUING mode tries to check whether 
there is a visited state whose position in visiteds is less or equal than the posi¬ 
tion where U becomes empty in previous time. Specially if U becomes empty for 
the first time then only the initial state can be considered. Line 1 of Algorithm 4 
assigns the disjunction of these states to be a constraint ip. Then line 2 shows the 
inquiry to SAT solvers to get an assignment whose next state appears before U 
becomes empty in previous time. If the inquiry succeeds, the SAT .PURSUING 
mode returns the assignment found to LTL-GHEGK, and getState terminates 
(Line 4). Otherwise the SAT .PURSUING mode turns back to the ELIMINA¬ 
TION mode for further processing (Line 6). 

Gonsider the visited state ip whose position in visiteds is the one before where 
U becomes empty (If U becomes empty for the first time, then ip must be the 
input formula (p). So the cycle formed by the SAT .PURSUING mode succeeds 
to satisfy all Until formulas in CF{ip) - since U is reset to be U{ip) after ip and 
all elements in U are satisfied when U becomes empty again. Thus according to 
Theorem 5 a satisfying model is found. 





C.3 Unsat Core Extraction 


It may happen that all elements in U are postponed in the ELIMINATION 
mode. Then the function turns into the CONFLICT_ANALYZE mode, trying 
to figure out whether I), ip is finally satisfied; or 2). ip is postponed forever. The 
trivial way to check all reachable states of <j) postpone ijj is proven not efficient 
due to its large cost, so we must introduce a more clever methodology. 

Now let’s dig into the reason why ij; is postponed in (j). ip is postponed in (p iff 
the formula xnf{(p) A v{ip) is unsatisfiable. So there must be a minimal unsat 
core Si C CF{(p) such that 

— xnf{/\ Si) A v{ip) is unsatisfiable; and 

— for each S) C Si, xnf{/\ 5^) A v{ip) is satisfiable. 

Note there are already works on computing such minimal unsat core (see [21]), 
and we can directly apply them here. 

Now the task changes to check whether there exists a next state (pi of (p that 
can avoid the appearance of Ai, i.e. Ai % CF{(pi). We can achieve this via 
SAT solvers by feeding them the formula xnf{(p) A -^X{/\ Si). If the formula is 
satisfiable, then the modeling assignment is the next state that can avoid Si; 
Otherwise, there must be a minimal unsat core S 2 Q CF{<p>) to [\Si, making 
xnf{/\S 2 ) A -^X{/\Si) is unsatisfiable - as to ip. Then the task changes to 
check whether the avoidance of S 2 can be achieved in the next state of (p ... 
This is a recursive process and one can see we may maintain a sequence of 
minimal unsat cores p = Ai, S' 2 ,... during computing the next state of (p. Then 
the question raises up that if there is no other next state other than itself for 
current state (p, how can it terminate the minimal-unsat-core computation? 

Let 9i = Ip A Ai<j<i i-®- the formula which conjuncts ip and minimal unsat 
cores from Si to Si. Apparently it holds 9i+i ^ 9i{i > 1) and what we expect 
more for finding a next state is 9i 0i+i. Once 9i => 9i+i holds as well, it 
indicates 9i is the unsat core we want to capture Until formula ip is postponed 
forever from (p. Actually the reason is under this case we can prove that, xnf{9i)A 
^X{9i) is unsatisfiable which means ip will be postponed in all reachable states 
of (p. 

Assume a next state (pi of (p is found according to above strategy and a sequence 
p = Si, S 2 , ..., Sk{k > 1) is maintained. Now (pi tries to avoid Sk-i in its next 
state - Note Sk is not in CF{(pi) but Sk-i is. (If A: = 1 then (pi tires to avoid ip in 
its next state). The corresponding formula is xnf {(pi) A^X{Sk-i). This attempt 
may not succeed, and there may be another minimal unsat core S'j, (not Sk) to 
Sk-i. We must also maintain this information in the sequence. So it turns out 
the sequence we have to maintain is the sequence of set of minimal unsat cores, 
i.e. p = Qi,Q2, ■ ■ ■ iQk where each Qi is a set of minimal unsat cores. 

For example consider (p = {all^b) A b A Xb A XXb, we can see easily ip = 
aU^b is postponed currently and Qi = {{^}}- Moreover Q 2 = {{Ai5}} and 
Qs = {{XXb}}. According to our strategy above, we first try to avoid elements 
in Q 3 , that is to check xnf{(p) A seQa A^)- Then we get the next state 



(j)i = (all^b) Ab A Xb. Similarly we get (j )2 = {all^b) A b and ^3 = all^b. By 
then we know if) = all-^b is not postponed. 

For the formula (p = Fa A G^a, we know xp = Fa is postponed currently and 
Qi = {{Fa, G^a}}. Since we know that 9i = xp A Vseg^ A 'S' = G^a and 
61 A ^X9i is unsatisfiable - which means an unsat core is already found and xp 
will be postponed from (p forever. So we can terminate by returning unsatisfiable 
and the unsat core Fa A G^a. 

For a more complicated example we consider (p = F{^aA^b) AaAG{{a -A Xb)A 
{b -A Xa)). The Until formula xp = F{^aA^b) is postponed currently and Qi = 
{{a}}. To avoid the elements in Qi in next state, i.e. xnf{p) A A 'S)) 

we can get the next state pi = F{a Ab) Ab A G{{a -A Xb) A {b —>■ Xa)). Now p 
is also postponed due to 6 € GF{pi), and we update Qi = {{a}, { 6 }}. Then we 
collect existed states p, pi together into set Sts, and try to avoid elements in Qi 
in the next state of states - the formula is (V^ests A ^)- But 

this attempt still fails. So we get Q 2 = {{a, G((a — >■ Xb)A{b -A Xa))}, {b, G{{a -A 
Xb)A{b -A Xa))}}. As we see 6*2 = P^{\/sgQi A ‘^)^(Vs 6 Q 2 A is an invariant, 

i.e. xnf{92) A X ^02 is unsatisfiable, so we know 92 is the unsat core and p is 
unsatisfiable. 

Now we start to define the sequence we maintain in the CONFLICT_ANALYZE 
mode, which we call avoidable sequence. 

Definition 6 (Avoidable Sequence). For an LTL formula p and p is an 

Until subformula of p, the avoidable sequence ofp is a sequence p = Qn, Qi,..., 
vjhere Qi C and 

- Qo = {{A}}; 

- Fori> 0, let 9i = Ao<j<AVs 6 Qj A S) then S' € Q*+i (S' C cl{p)) if, 

1 . {9iA^X{9i)) is satisfiable; 

2. {J\ S') A {9i A ^X{9i)) is unsatisfiable; 

3. For each S" C S', { j\ S") A {9i A ^X{9i)) is satisfiable. 

Specially, we say p is an unavoidable sequence if there is k > 0 such that 9^ ^ 

9kAl- 

The avoidable sequence is an abstract way to represent set of states that post¬ 
pone p. If a state p' in the transition system satisfies p' => 9i, then p' is 
represented by 9i. Let SePSg.^Pj be the set of states represented by 9i{9ij^i), it 
is easy to see Sg.^^ C Sg. due to 6*^+1 ^ 9i. For example, assume the avoidable 
sequence p = {{a}}, {{&}}, then we know 9i = a and 6*2 = a A 6. Apparently the 
state a A ^b can be represented by 9i, but not by 6 * 2 . Since the set of states in 
is finite, so the avoidable sequence must also be finite. 

Lemma 1. For an LTL formula p and p is an Until subformula of p, the avoid¬ 
able sequence of p is finite. 

Specially when p is an unavoidable sequence, i.e. 9k-i ^ 9k(k > 0), it means es¬ 
sentially Sg, = Sg,_^_^. We can prove that in this case 9i covers all states postpone 
p forever. Before that we introduce the following lemma. 



Lemma 2. For an LTL formula (p and ip is an Until subformula of p, if p = 
Qq, Qi, ■ ■ ■ ,Qk{k > 1) is an unavoidable sequence of ip, then it holds that xnf{9k)/\ 
-^X{Ok) is unsatisfiable. 

Proof. Since p is an unavoidable sequence, so Assume A is a state 

represented by , and it is also in Su if there is S' € Qfc such that S C CF{X). 
Now let’s recall the meaning of elements in Qk- Since S G Qk so it satisfies 
xnf {X A /\ S) A^X{9k-i) is unsatisfiable. This means the reason (minimal unsat 
core) causing all next states of A are also in S^^ are contained by A itself. Thus it 
indicates all next states of states in Sej,_^ are also in Sg,., which formally means 
xnf{9k) A -^X{9k) is unsatisfiable. □ 


Algorithm 5 Implementation of the CONFLICT_ANALYZE mode 
Require: an LTL formula p postpone all Until formulas in ( 7 ; 

Ensure: a finite path satisfies at least one element of U or an unsat core; 

1: Get some reachable states from p and put them into Sts (including p)-, 

2: Let p = {{f/}} and pos = 0; 

3: Let Opoa = Ao<i<pos VsgpW ^ 

4: while true do 

5: while {xnf{\J Sts) A -^X{6poa))^ is satisfiable do 

6: Let P be the assignment and add X{P) to Sts; 

7: pos = pos — 1 and update 9poa {pos is changed); 

8: if pos < 0 then 

9: return the finite path leading from p to X{P); 

10: end if 

11: end while 

12: Add computed set of minimal unsat cores to p[pos + l] (if p[pos + l] is not existed, 

then extend it); 

13: pos = pos + 1 and update Opoa', 

14: while xnfifj Sts) A ^X{0poa) is unsatisfiable do 

15: Add computed set of minimal unsat cores to p[pos + 1] (if p[pos + 1] is not 

existed, then extend it); 

16: pos = pos + 1 and update Opoa', 

17: if xnf(9poa) A ^X{9poa) is unsatisfiable then 

18: return 9poa as the unsat core; 

19: end if 

20: end while 

21: Let P be the assignment of {xnf{\/ Sts) A -iX {9poa))^ and add X{P) to Sts; 

22: pos = pos — 1 and update 9poa; 

23: end while 


Let Sp be the set of states represented by the avoidable sequence p, then we 
have 

Theorem 6. For an LTL formula p and if is an Until subformula of p, if p is 
an unavoidable sequence ofif, then all states represented by Sp are unsatisfiable. 






Proof. From Lemma 2 we know all next states of states in Sp are also in Sp. And 
since every state represented by Sp can postpone ip, so all states in Sp together 
can postpone ip forever. Thus all states represented by Sp are unsatisfiable. □ 

Now we present the improved algorithm for CONFLICT_ANALYZE mode. The 
algorithm maintains the information of avoidable sequence in the mode and 
utilizes it to locate the result. We should claim that, computing elements of 
avoidable sequence is relatively expensive so far, and especially for extending 
the length of the sequence. Consider that if finally the Until formula turns out 
to be satisfiable, then it may wast time to maintain unnecessary long sequence. 
To balance these situations, our algorithm starts from a set of states reachable 
from the initial postponed state rather than only itself, in which case it can 
increase the possibility to find the Until formula satisfiable earlier. 

Note that Let p = Qo,Qi, ■ ■ ■ ,Qk and we use p[i] to represent Qi in the algo¬ 
rithm. The variable pos points to the position of p in which the elements should 
be avoided currently. The notation X (P) means the set of Next formulas in P 
(they form the next state indeed). In Line 1, users can decide by themselves the 
number of reachable states and how to acquire them. 

D More experiments on LTL-Satisfiability Checking 


Table 2. Experimental results on the Schuppan-collected benchmark for satisfiable 
formulas. Each cell lists a tuple {t, n) where n is the total number of solved formulas 
and t is the total checking time for solving these n cases (in seconds). 


Formula type 

ls4 

TRP++ 

INuXmv-BMCINC 

Aalta_vl.2 

|NuXmv-IC3-Klive 

O 

> 

/ acacia / example 

152 

49 

192 

50 

0 

50 

1 

50 

8 

50 

1 

50 

/ acacia / demo-v3 

748 

40 

554 

34 

3 

72 

3 

72 

30 

72 

3 

72 

/ acacia/demo-v22 

60 

20 

67 

20 

0 

20 

2 

20 

4 

20 

1 

20 

/alaska/lift 

487 

22 

322 

16 

282 

238 

4084 

163 

529 

233 

367 

229 

/ alaska/szymanski 

27 

8 

43 

4 

0 

8 

1 

8 

2 

8 

0 

8 

/ anzu / amba 

0 

0 

0 

0 

116 

95 

2686 

65 

582 

94 

273 

98 

/anzu/genbuf 

0 

0 

0 

0 

122 

109 

3343 

79 

570 

107 

422 

116 

/ rozier/counter 

1214 

90 

1851 

108 

25 

88 

928 

60 

88 

87 

289 

114 

/ rozier/formulas 

163 

3890 

GO 

o 

3370 

88 

3890 

1372 

3890 

649 

3890 

28 

3890 

/ rozier/pattern 

936 

260 

1230 

251 

1025 

480 

8 

488 

2232 

471 

9 

488 

/ schuppan / 0 Iformula 

49 

10 

51 

10 

7 

27 

2 

27 

59 

27 

1 

27 

/ schuppan / 02formula 

77 

10 

89 

10 

98 

24 

2 

27 

253 

27 

0 

27 

/ schuppan / phltl 

87 

5 

33 

4 

135 

17 

233 

10 

78 

18 

1 

17 

/trp/N5x 

81 

371 

83 

371 

10 

371 

309 

360 

145 

371 

12 

371 

/trp/N5y 

334 

234 

331 

234 

8 

234 

16 

234 

84 

234 

10 

234 

/trp/N12x 

4425 

268 

1639 

65 

33 

625 

768 

620 

531 

625 

94 

625 

/trp/N12y 

3173 

118 

3062 

111 

29 

313 

413 

313 

318 

313 

12 

313 

/forobots 

696 

53 

914 

53 

3 

53 

280 

53 

27 

53 

30 

53 

Total 

12718 

5448 

16556 

4711 

1994 

6714 

14451 

6689 

6189 

6700 

1554 

6750 


This section shows more experimental results on LTL-satisfiability checking. 
First we complete the results in Table 1 and list the results on satisfiable and 




Table 3. Experimental results on the Schuppan-collected benchmark for unsatisfiable 
formulas. Each cell lists a tuple {t, n) where n is the total number of solved formulas 
and t is the total checking time for solving these n cases (in seconds). 


Formula type 

ls4 

TRP++ 

INuXmv-BMCINC 

Aalta_vl.2 

|NuXmv-lC3-Klive 

|Aalta_v2.0 

/ acacia/example 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/ acacia/demo-v3 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/ acacia/demo-v22 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/alaska/lift 

73 

22 

3 

2 

77 

8 

384 

10 

38 

34 

544 

30 

/ alaska/ szymanski 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/anzu/amba 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/anzu/genbuf 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/ rozier / counter 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/ rozier / formulas 

4 

110 

66 

107 

29 

91 

40 

100 

15 

110 

1 

110 

/ rozier / pattern 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

/ schuppan / 0 Iformula 

103 

10 

27 

9 

7 

27 

2 

27 

36 

27 

2 

27 

/ schuppan / 0 2formula 

106 

9 

16 

3 

3 

2 

2 

27 

69 

20 

5 

27 

/ schuppan / phltl 

64 

4 

19 

3 

22 

4 

89 

4 

15 

7 

36 

4 

/trp/N5x 

62 

109 

62 

109 

17 

100 

139 

88 

42 

109 

8 

109 

/trp/N5y 

113 

46 

104 

45 

0 

0 

130 

10 

18 

46 

16 

46 

/trp/N12x 

0 

0 

0 

0 

56 

117 

456 

20 

174 

175 

64 

174 

/trp/N12y 

277 

6 

180 

4 

0 

0 

34 

13 

95 

67 

238 

67 

/forobots 

293 

25 

388 

25 

2 

7 

280 

10 

10 

25 

32 

23 

Total 

1102 

323 

906 

307 

215 

356 

1556 

309 

512 

620 

946 

617 


unsatisfiable formulas separately, which are respectively shown in Table 2 and 
Table 3. Slightly different with Table 1, each cell of these two tables lists a tuple 
{t, n) where n is the total number of solved formulas and t is the total checking 
time for solving these n cases (in seconds). In these two table Aalta_v2.0 is 
tested by using heuristics. The separation may help readers understand better 
of checking performance on satisfiability and unsatisfiability. 

In additional to the schuppan-collected benchmarks, we also tested all solvers 
on the random conjunction formulas, which is proposed in [18]. A random con¬ 
junction formula RC{n) has the form of Ai<i<n • j Vk), where n is the 

number of conjunctive elements and Pi(l ^ ^ is a randomly chosen pattern 

formula used frequently in practice®. The motivation is that typical temporal as¬ 
sertions may be quite small in practice. And what makes the LTL satisfiability 
problem often hard is that we need to check large collections of small temporal 
formulas, so we need to check that the conjunction of all input assertions is sat- 
isfiable. In our experiment, the number of n varies from 1 to 30, and for each 
n a set of 100 conjunctions formulas are randomly chosen. The experimental 
results are shown in Fig. 2. It shows that Aalta_v2.0 (with heuristic) performs 
best among tested solvers, and comparing to the second best solver (NuXmv), 
it achieves approximately the 30% speed-up. 


http://patterns.projects.cis.ksu.edu/documentation/patterns/ltl.shtml 
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Fig. 2. Results for LTL-satisfiability checking on Random Conjunction Formulas. 


E SMT-based Temporal Reasoning 


An additional motivation to base explicit temporal reasoning on SAT solving 
is the need to handle LTL formulas with assertional atoms, that is, atoms that 
are non-boolean state assertions, e.g., assertions about program variables, such 
as k < 10. Existing explicit temporal-reasoning techniques abstract such as¬ 
sertions as propositional atoms. Consider, for example, the LTL formula (j) = 
Ai<i<„.F(fc = i), which asserts that k should assume all values between 1 and 
n. By abstracting k = i as pi, we get the formula (p' = AiacnFPij but the 
transition system for the abstract formula has 2" states, while the transition 
system for the original formula has only n states. This problem was noted, but 
not solved in [31], but it is obvious that reasoning about non-Boolean assertions 
requires reasoning at the assertion level. Basing explicit temporal reasoning on 
SAT solving, would enable us to lift it to the assertion level by using Satisfia¬ 
bility Modulo Theories (SMT) solving. SMT solving is a decision problem for 
logical formulas in combinations of background theories expressed in classical 
first-order logic. Examples of theories typically used are the theory of real num¬ 
bers, the theory of integers, and the theories of various data structures such as 
lists, arrays, bit vectors, and others. SMT solvers have shown dramatic progress 
over the past couple of decades and are now routinely used in industrial software 
development [24]. 



So far, we described how to use SAT solving for checking satisfiability of propo¬ 
sitional LTL formulas. And in this section we show that our approach can be 
extended to reason assertional LTL formulas. In many applications, we need 
to handle LTL formulas with assertional atoms, that is, atoms that are non- 
boolean state assertions, e.g., assertions about program variables. For example. 
Spin model checker uses temporal properties expressed in LTL using assertions 
about Promela state variables [14]. Existing explicit temporal-reasoning tools, 
e.g., SPOT [8], abstract such assertions as propositional atoms. 

Recall that we utilize SAT solvers in our approach to compute assignments of 
formulas (j)^ (with <j) is in XNF). The states of transition system are then obtained 
from these assignments. When (j) is an assertional LTL formula, the formula (j)P is 
not a propositional formula, but a Boolean combination of theory atoms, for an 
appropriate theory. Thus, our approach is still applicable, except that we need 
to replace the underlying SAT solver by an SMT solver. 

Consider, for example the formula ft = {F{k = 1) A F{k = 2)). The XNF of 
(j), i.e. xnf{(j)), is {{v{F{k = 1)) A (fc = 1)) V {-^v{F{k = 1)) A XF{k = 1))) A 
{{v{F{k = 2)) A {k = 2))V {^v{F{k = 2)) f\XF{k = 2))). If we use a SAT solver, 
we can obtain an assignment such as A = {{k = l),v{F{k = l)),^XF{k = 
1), {k = 2),v{F{k = 2)),^XF{k = 2)}, which is consistent propositionally, but 
inconsistent theory-wise. This can be avoided by using an SMT solver. Generally 
for a formula </>„ = Ai<i<n'^(^ = A) there are 0(2”) states generated in the 
transition system by the SAT-based approach, but only n states need to be 
generated. This can be achieved by replacing the SAT solver in our approach 
by an SMT solvers. The performance gap between the SAT-based approach and 
the SMT-based approach would be exponential. Indeed, SPOT performance on 
the formulas (j)n is exponential in n. 

As proof of concept, we checked satisfiability of the formulas (j)n, for n = 
1,...,100, by Aalta_v2.0. We then replaced Minisat by Z3, a state-of-the-art 
SMT solver [24]. The performance results show indeed an exponential gap be¬ 
tween the SAT-based approach and the SMT-based approach, which is shown in 
Fig. 3. (Of course, we also gain in correctness: the formula F{k = 1 A /c = 2) is 
satisfiable when considered propositionally, but unsatisfiable when considered as- 
sertionally.) Applying SMT-based techniques in other temporal-reasoning tasks, 
such as translating LTL to Biichi automata [II] or to runtime monitors [31], is 
a promising research direction. 




Fig. 3. Results for LTL-satisfiability checking on Ai<i<n ~ 


